llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT--> @llvm/pr-subscribers-clang Author: None (DavidKorczynski) <details> <summary>Changes</summary> There are cases where `Tok.is(tok::eof)` is true and `PP.mightHavePendingAnnotationTokens()` is also true, and in these cases a UAF may happen on the destroyed template IDs. Fixes: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=23204 Am not sure if a unit-test is needed? I can add one in similar style to https://github.com/llvm/llvm-project/pull/76676 but am not sure if this is actually desired for OSS-Fuzz issues? In the end OSS-Fuzz will catch the regressions in case and will also verify the UAF is fixed. --- Full diff: https://github.com/llvm/llvm-project/pull/77698.diff 1 Files Affected: - (modified) clang/include/clang/Parse/Parser.h (+1-2) ``````````diff diff --git a/clang/include/clang/Parse/Parser.h b/clang/include/clang/Parse/Parser.h index 186dbb77085856..5531234a6ea084 100644 --- a/clang/include/clang/Parse/Parser.h +++ b/clang/include/clang/Parse/Parser.h @@ -311,8 +311,7 @@ class Parser : public CodeCompletionHandler { SmallVector<TemplateIdAnnotation *, 16> TemplateIds; void MaybeDestroyTemplateIds() { - if (!TemplateIds.empty() && - (Tok.is(tok::eof) || !PP.mightHavePendingAnnotationTokens())) + if (!TemplateIds.empty() && !PP.mightHavePendingAnnotationTokens()) DestroyTemplateIds(); } void DestroyTemplateIds(); `````````` </details> https://github.com/llvm/llvm-project/pull/77698 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
